Sniffing open WiFi networks is not wiretapping, judge says

Cheap and widely used interception gear means open WiFi traffic is public.

A federal judge in Illinois has ruled that intercepting traffic on unencrypted WiFi networks is not wiretapping. The decision runs counter to a 2011 decision that suggested Google may have violated the law when its Street View cars intercepted fragments of traffic from open WiFi networks around the country.

The ruling is a preliminary step in a larger patent trolling case. A company called Innovatio IP Ventures has accused various "hotels, coffee shops, restaurants, supermarkets," and other businesses that offer WiFi service to the public of infringing 17 of its patents. Innovatio wanted to use packet sniffing gear to gather WiFi traffic for use as evidence in the case. It planned to immediately delete the contents of the packets, only keeping the headers. Still, the firm was concerned that doing so might violate federal privacy laws, so it sought a preliminary ruling on the question.

Federal law makes it illegal to intercept electronic communications, but it includes an important exception. It's not illegal to intercept communications "made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public."

Judge James Holderman ruled that this exception applies to Innovatio's proposed packet sniffing. In the Google Street View case, a California judge had suggested that WiFi communications were not public, even if they were sent without encryption. But Judge Holderman reached the opposite conclusion:

Innovatio is intercepting WiFi communications with a Riverbed AirPcap Nx packet capture adapter, which is available to the public for purchase for $698.00. A more basic packet capture adapter is available for only $198.00. The software necessary to analyze the data that the packet capture adapters collect is available for download for free. With a packet capture adapter and the software, along with a basic laptop computer, any member of the general public within range of an unencrypted WiFi network can begin intercepting communications sent on that network. Many WiFi networks provided by commercial establishments (such as coffee shops and restaurants) are unencrypted, and open to such interference from anyone with the right equipment. In light of the ease of "sniffing" WiFi networks, the court concludes that the communications sent on an unencrypted WiFi network are readily available to the general public.

Legal scholar Orin Kerr disagrees with Judge Holderman's reasoning. "No one suggests that unsecured wireless networks are set up with the goal that everyone on the network would be free to read the private communications of others," he wrote. "In my view, that ends the matter: the exception doesn’t apply, and the interception of the contents of wireless communications is covered by the Wiretap Act."

Google's Street View case is now before the United States Court of Appeals for the Ninth Circuit—and the company no doubt hopes that the appellate court sees things Judge Holderman's way.

I am surprised. The "expectation of privacy" does not depend on how hard it is to intercept the communication. Recording a phone conversation with your own phone is illegal in many states (if the person on the other end doesn't know you're doing it). Reading someone else's postcard could be a federal offense. I should be able to connect to my wifi router with the "expectation" that Google isn't going to legally sniff my traffic, regardless of how easy it is to do.

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

Technically, intercepting signals on a telephone wire is simple and requires minimal expertise, but that's a protected transmission. A wireless phone similar. But it suddenly is unprotected when it's digital, rather than analog, data? Why would it suddenly change?

People have a reasonable expectation of privacy over wireless (unless specified otherwise, e.g. when you sign an agreement to use hotel wifi); it's not unreasonable to expect people not to try and listen in (so to speak) on your Google Talk conversations. Encryption is intended to protect data that people will disregard other's privacy to obtain, like bank passwords.

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

Do you seriously not know how wireless communication encryption works? Have you not heard of what you can do on unsecured networks already? Really?

Un-secured wifi networks are pretty much the same thing as having your fornt door wide open and walking around in your underwear then crying about how someone from the street saw you in your underwear.

Close and lock the damned door. (put a friggin password on your wifi connection)

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

Do you seriously not know how wireless communication encryption works? Have you not heard of what you can do on unsecured networks already? Really?

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

Your examples fail - many of those you have to request access to from a given agent. Coffee shops you gotta buy some coffee - they give you a temp pass. Hotels - same deal - you have to request a logon. Airports tend to charge a fee.

Un-secured wifi networks are pretty much the same thing as having your fornt door wide open and walking around in your underwear then crying about how someone from the street saw you in your underwear.

Close and lock the damned door. (put a friggin password on your wifi connection)

I agree with you that encrypting is the smart thing to do; however, the question is whether it's legal or not to intercept the communications. It does seem to me that the "reasonable expectation of privacy" metric is a good one. You can't accidentally "see" the WiFi like you can accidentally see someone in their underwear through an open front door. You have to buy specialized equipment and specifically look for it.

The judge's mention of the expense and availability of the equipment is irrelevant. Lots of snooping equipment is easily available and cheap. That doesn't make its use legal.

This seems somewhat related to the issue of the legality of radar detectors. It still baffles me that some states make them illegal when they're doing even less "decoding" than a WiFi sniffer.

On the one hand I haven't actually seen a personal open wifi in a few years now - not that I wardrive or anything but I do take a look at the wifi list whenever I'm in a new spot. I've only seen open wifis that are deliberately open to the public.

Do people who are not techies feel an expectation of privacy when using non-SSL sites on open wifi? I don't know. How good a job have we done explaining to the public that open wifi is completely snoopable if you're not on an SSL page? If the majority of users are *aware* that it is extremely easy to snoop, then perhaps the logic that it is a fully public communications channel stands. There is also the fact that the way open wifi works means that every packet IS inspected by your wifi receiver, and under normal circumstances those that are not addressed to you are simply ignored after checking said address. How much of a meaningful difference is there between a device receiving a packet, inspecting it, and deciding to discard it as irrelevant, and that device deciding to do "something" more with the packet after inspecting it?

I draw an ethical distinction between wifi networks that are deliberately open because they want the public to have access and those that are for private use but not encrypted, but of course an automated process has no way of knowing. So overall, I'm leaning towards packet capture on an open (in the sense of "deliberately open to the public") wifi not being wiretapping, as you're simply extending normal functionality.

In any case, always use the HTTPS version of any site on public wifi, regardless of the legal situation! If there is no HTTPS version assume your password, session cookie, etc will get stolen!

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

Your examples fail - many of those you have to request access to from a given agent. Coffee shops you gotta buy some coffee - they give you a temp pass. Hotels - same deal - you have to request a logon. Airports tend to charge a fee.

My example don't limit to those places. Again, they don't encrypt their network, you get directed to a page for temp password or paid a fee. There is no point encrypt those. It is the users who use public free wifi should be aware of the security.

I know, I'm quoting myself, it makes more sense since I am following my question with the answer I've found…

Quote:

The law, as quoted in the article, says nothing about the intended goal of the WiFI configuration, so why does Orin Kerr think the goal matters?

His explanation, which I failed to notice at first was linked, seems to confuse design with configuration.

For the systems involved in the precedents he mentions, they are designed in such a manner that there is no configuration involved. The systems work just one way and hardware available later, while making it easy for someone to listen in, don't change the privacy expectations.

I submit that because the design of WiFi permits a secure and an insecure configuration as options present in the design, if the specific configuration permits easy access, then the precedents he mention don't matter because the configuration (which is what the law refers to) is separable from the design in the case of WiFi, but not in his precedents.

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

No its not. Ive been to coffee shops that offer free access. They change the key daily. You order your coffee or whatever, then they give that days key. By having it encrypted, no one else in the area can view my communications, its as simple as that.

I remember reading something about the intent and reasonable expectation being very important in communication privacy cases. Even if the encryption method is trivial, it is still considered protected by the 4th amendment. This differentiate a phone call between two neighbors to the two people shouting through the walls: In the first case, both people intended for the communication to be private, and have gone through the process to communicate using a method where the expected recipient of their message is the only recipient. In the second case, both people still intended for the communication to be private, but have not gone through the process to communicate using a method where their expected recipient is NOT the only recipient.

Extrapolating this to mail, it can be argued that postcards do not have the same legal protection as regular mail, because what is being communicated is in plain sight.

Extrapolating this to electronic networks... is complicated, because the method of communicating with unencrypted WLAN is synonymous to digital shouting, but the problem is that most users do not know this, and had expected this to be secure, so i think it might satisfy the requirement that the person try to make their communication private... we'll see how this gets ruled once the Google case finishes.

Personally, I think using unencrypted wireless does not qualify for the "attempt to make secure" part, even if the users are ignorant of what they are actually doing.

Un-secured wifi networks are pretty much the same thing as having your fornt door wide open and walking around in your underwear then crying about how someone from the street saw you in your underwear.

Close and lock the damned door. (put a friggin password on your wifi connection)

Actually Id liken an open wifi router more like broadcasting over a CB radio.

There's a reason it's referred to as an "unsecure" network. It's because all traffic on it is not secure, which means that anyone with the capability to detect the network can gain access to the information sent on the network. With today's routers, it is so easy to set up a secure network, that IMHO, if you have an unsecure network, you deserve to have your information intercepted.

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

Do you seriously not know how wireless communication encryption works? Have you not heard of what you can do on unsecured networks already? Really?

My point is. If you are on a public free wifi. the user themselves should be responsible for it. Not the person who offer free access.

Why are you afraid of coffee shops putting a pass on their wifi and giving it out to CUSTOMERS? Is it because you get free internet from from one by simply sitting in the parking lot, or having an apartment nearby and dont want to have to actually be a patron of that business to continue getting your free wifi? I just dont see any other reason why you would disagree with businesses putting a password on their free wifi and giving it out to customers.

If you are walking on the sidewalk and hear somebody inside (open door, window, etc) a house scream at their spouse that they're going to kill you... is it your fault that you obtained that info? Could it be used against the person you heard? If so, how is that different from sniffing "in the clear" packets? Just curious...

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

No its not. Ive been to coffee shops that offer free access. They change the key daily. You order your coffee or whatever, then they give that days key. By having it encrypted, no one else in the area can view my communications, its as simple as that.

In such a case, they should be advertising it as "Free Wi-Fi*" with a disclaimer stating "free with purchase". Otherwise, they're dabbling in the tricky subject of false advertisement...

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

No its not. Ive been to coffee shops that offer free access. They change the key daily. You order your coffee or whatever, then they give that days key. By having it encrypted, no one else in the area can view my communications, its as simple as that.

There are coffee shop that don't encrypt their network. If they encrypt it. great. If not, it isn't their fault. This case ruling basically saying all free open wifi is bad. I disagree with that. This encrypt all wifi network should be applied everywhere but not always applicable to every case.

Technically, intercepting signals on a telephone wire is simple and requires minimal expertise, but that's a protected transmission. A wireless phone similar. But it suddenly is unprotected when it's digital, rather than analog, data? Why would it suddenly change?

People have a reasonable expectation of privacy over wireless (unless specified otherwise, e.g. when you sign an agreement to use hotel wifi); it's not unreasonable to expect people not to try and listen in (so to speak) on your Google Talk conversations. Encryption is intended to protect data that people will disregard other's privacy to obtain, like bank passwords.

The reason it's different is because of the design... How do you know if the network you are connecting to, is open because it was intended to be open, or because the owner is an idiot? You can't. That's why it's different.

When you connect to an open network, you look for a DHCP server and ask for an IP address... Then when you make a web request, you look for a DNS, and make a name resolution, then you open the site, ask for the index file, etc..

Nowhere in here is there anything to alert you that this was intended to be open for your use or not.

You can't compare this to an open door, because you are missing the handshake in that analogy... To compare it to an open door, would be like:

You go to a gentrified area, where small businesses occupy buildings that look like renovated houses. None of them are labeled very well... So you walk up to one door, and knock... Somebody opens the door. You ask if they have any food... They say yes, and seat you at a table... And offer you a snack... Meanwhile, somebody walks down the hall and asks what the hell you are doing in their house. How were you supposed to know it wasn't a business but a private residence? They still opened the door, they still answered your question regarding food, and they showed you a table...

Just like in a network... You ask the DHCP server for an IP, you ask the DNS for a resolution, etc. If you don't want to serve random people, lock that crap down. (ie, don't answer the door for every tom dick and harry that knocks, and certainly don't invite them into your house). That's exactly what happens with a router that you don't properly setup... It's basically a butler that answers your door, and invites everyone into your house... If you don't want that to happen, TRAIN YOUR BUTLER!

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

Do you seriously not know how wireless communication encryption works? Have you not heard of what you can do on unsecured networks already? Really?

My point is. If you are on a public free wifi. the user themselves should be responsible for it. Not the person who offer free access.

Why are you afraid of coffee shops putting a pass on their wifi and giving it out to CUSTOMERS? Is it because you get free internet from from one by simply sitting in the parking lot, or having an apartment nearby and dont want to have to actually be a patron of that business to continue getting your free wifi? I just dont see any other reason why you would disagree with businesses putting a password on their free wifi and giving it out to customers.

I am not afraid of coffee shop putting up a password. Again, I used as an example. Have you been to a shopping mall or airport? How do you plan to give out password to that amount of traffic? Most of them just let you connect to the open network and direct to page to paid the fees. That network is unsecure, you should be aware of it. This case rule made Ok for anyone to wire tape a open unsecure network. Point here is not whatever the network should be secure or not. It is intercept of data is okay or not. Just because it is open, doesn't make it right for people to wire tape you.

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

They shouldn't. If you want privacy, don't use an open network period.

Technically, intercepting signals on a telephone wire is simple and requires minimal expertise, but that's a protected transmission. A wireless phone similar. But it suddenly is unprotected when it's digital, rather than analog, data? Why would it suddenly change?

People have a reasonable expectation of privacy over wireless (unless specified otherwise, e.g. when you sign an agreement to use hotel wifi); it's not unreasonable to expect people not to try and listen in (so to speak) on your Google Talk conversations. Encryption is intended to protect data that people will disregard other's privacy to obtain, like bank passwords.

Intercepting a wire require some amount of tampering with a private physical media, it is equivalent to breaking a lock, which is easy too. A wireles phone is encrypted so it has a reasonable expectation of privacy. Unprotected WiFi is like shouting, the audience is just there with readily available equipment and suddenly the data comes to them through public physical media (air). You have no right to privacy because you didn't try to make the comunication private, even if you'd prefer the autience to mind their own business.

Could easily mitigate this by making all routers have a click-wrap agreement or notice stating that the information broadcast by this router is not for general public use, thereby taking it out of the jurisdiction of that law; also, anyone who connects asserts under criminal and/or financial liability that they are an authorized user by the owner of the connection.

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

No its not. Ive been to coffee shops that offer free access. They change the key daily. You order your coffee or whatever, then they give that days key. By having it encrypted, no one else in the area can view my communications, its as simple as that.

There are coffee shop that don't encrypt their network. If they encrypt it. great. If not, it isn't their fault. This case ruling basically saying all free open wifi is bad. I disagree with that. This encrypt all wifi network should be applied everywhere but not always applicable to every case.

I totally agree that its not always applicable, the statement I disagree with is "if you are going to give out free wifi, having encrypted(sic) and password network is pointless." No its not pointless, its taking an extra step to ensure your customers are being protected. One that you dont have to take, but it is better than offering "use at your own risk" open access that anyone can snoop on.

I think the case here refer to public free wi-fi like hotel, coffee shop, airport..... How you plan to encrypt those? If you going to give out free access, having encrypted and password network is pointless. I think the ruling should differentiated public free wifi and residential wifi

Do you seriously not know how wireless communication encryption works? Have you not heard of what you can do on unsecured networks already? Really?

My point is. If you are on a public free wifi. the user themselves should be responsible for it. Not the person who offer free access.

Why are you afraid of coffee shops putting a pass on their wifi and giving it out to CUSTOMERS? Is it because you get free internet from from one by simply sitting in the parking lot, or having an apartment nearby and dont want to have to actually be a patron of that business to continue getting your free wifi? I just dont see any other reason why you would disagree with businesses putting a password on their free wifi and giving it out to customers.

I am not afraid of coffee shop putting up a password. Again, I used as an example. Have you been to a shopping mall or airport? How do you plan to give out password to that amount of traffic? Most of them just let you connect to the open network and direct to page to paid the fees. That network is unsecure, you should be aware of it. This case rule made Ok for anyone to wire tape a open unsecure network. Point here is not whatever the network should be secure or not. It is intercept of data is okay or not. Just because it is open, doesn't make it right for people to wire tape you.

Its not wiretapping though. Its you broadcasting your info for anyone to see. Connecting to an open wifi network is no different then talking to your friends over a CB radio. If its not encrypted you are essentially broadcasting that info as far as the antenna will transmit it.

Un-secured wifi networks are pretty much the same thing as having your fornt door wide open and walking around in your underwear then crying about how someone from the street saw you in your underwear.

Close and lock the damned door. (put a friggin password on your wifi connection)

Actually Id liken an open wifi router more like broadcasting over a CB radio.

This is probably the best analogy for non-technical people to understand.

With respect to the specific hardware mentioned in the article, can someone explain why it is required? What does it give you that you can't get with a standard laptop wifi card + wireshark?

Could easily mitigate this by making all routers have a click-wrap agreement or notice stating that the information broadcast by this router is not for general public use, thereby taking it out of the jurisdiction of that law; also, anyone who connects asserts under criminal and/or financial liability that they are an authorized user by the owner of the connection.

In this case, it sounds like they were just sniffing packets, and not requesting any services (otherwise they don't need a capture device to see their own traffic). Broacasting in the clear, especially when you have an option not to, is a clear invitation to listen, regardless of if you say "please don't listen"; which maybe I didn't hear anyway.

Its not wiretapping though. Its you broadcasting your info for anyone to see. Connecting to an open wifi network is no different then talking to your friends over a CB radio. If its not encrypted you are essentially broadcasting that info as far as the antenna will transmit it.

So you are saying it was okay for google just collecting data from residential open wifi then? At this point, I hope everyone should secure their wi-fi network. There is just those few who isn't tech savvy or educated. Let them take the heat then.

Its not wiretapping though. Its you broadcasting your info for anyone to see. Connecting to an open wifi network is no different then talking to your friends over a CB radio. If its not encrypted you are essentially broadcasting that info as far as the antenna will transmit it.

So you are saying it was okay for google just collecting data from residential open wifi then? At this point, I hope everyone should secure their wi-fi network. There is just those few who isn't tech savvy or educated. Let them take the heat then.

I don't see what Google did being wrong, and I don't see this as wrong either. I don't make a distinction between digital security and physical security. If you can't be bothered to educate yourself, that is not someone elses problem, its your problem. If you need a key to get in your house, shouldn't you also need a "key" to get on your network?

Its not wiretapping though. Its you broadcasting your info for anyone to see. Connecting to an open wifi network is no different then talking to your friends over a CB radio. If its not encrypted you are essentially broadcasting that info as far as the antenna will transmit it.

So you are saying it was okay for google just collecting data from residential open wifi then? At this point, I hope everyone should secure their wi-fi network. There is just those few who isn't tech savvy or educated. Let them take the heat then.

I don't see what Google did being wrong, and I don't see this as wrong either. I don't make a distinction between digital security and physical security. If you can't be bothered to educate yourself, that is not someone elses problem, its your problem. If you need a key to get in your house, shouldn't you also need a "key" to get on your network?

I agree everyone should educate themselves. Really it is user responsibility, but I still disagree that companies can use this analogy to exploit our weakness. Not everyone is that digitally minded. By you logic, it made it legal for any scammers to scam us just because we didn't educate yourself on the subject matter. Why are we even bother having those consumer protection agencies. I don't expect my grandpa to understand this wifi network stuff like I do.

Timothy B. Lee / Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times.